Federal Information Security Management Act (FISMA)

Ensure governmental informatin, operations and assets are protected against natural or man-made threats.

 Does being compliant to FISMA matter for my organization?

The Federal Information Security Management Act (FISMA) assigns responsibilities to various agencies to ensure the security of data within the federal government and affiliated parties (such as government contractors) by mandating information security controls and periodic audits.

What to know about the Role of NIST in FISMA Compliance:
The National Institute of Standards and Technology (NIST) is chartered with developing and issuing standards, guidelines and other publications which federal agencies must follow to implement FISMA and manage cost-effective programs to protect their information and information systems.
NIST standards and guidelines are arranged as follows:

  • Federal Information Processing Standards (FIPS)
  • Guidance documents and recommendations (issued in the NIST Special Publication (SP) 800 series
  • Other security-related publications, including interagrency and internal reports (NISTIRs)

What You Need to Do - and How MDS Can Help:

NIST has created a set of standards and guides which create a Risk Management Framework for agencies to manage organizational risk in accordance with FISMA requirements. This framewokr sets forth an approach to security control selection and specification with consideration to effectiveness, efficiency, and constraints. Federal agencies must undersake the following steps to maintain an effective security program:


  • Step One: Define critically/sensitivity of information system according to potential impact of loss
  • Step Two: Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate
  • Step Three: Use risk assessment results results to suppliment the tailored security control baseline as needed to ensure adequate security and due diligence
  • Step Four: Document the security plan, the security requirements for the informaiton system and the security controls planned or in place
  • Step Five: Implement security controls; apply security configuration settings
  • Step Six: Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements)
  • Step Seven: Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
  • Step Eight: Continuously track changes to the information system that may affect security controls and reassess control effectiveness 


Key Takeaways:

With 75% of new attacks against software and 90% of all vulnerabilities in software, NIST and FISMA recognize that federal agencies must place a strong emphasis on application security. Federal agencies wish to improve their overall security along with their FISMA Gade should prepare for the new threats targeted at their applications and prepare themselves well in advance for more stringent requirements by evaluating their software using third-party application security providers such as MDS.

Which Regulations Matter to You?

The certified professionals at MDS will help you determine which regulations your organization needs to meet.

Our Pledge:

Building out and maintaining your IT ecosystem doesn’t have to be a do-it-yourself project. MDS can help identify network issues, configure devices, and optimize your infrastructure to maximize efficiency and performance. Our consultants are highly trained technology specialists that understand the complexities of multi-vendor environments and have the knowledge and skills to help your business become more agile, customer-focused and operationally efficient.

Contacts: |

NYC Headquarters:
307 West 38th Street, Suite 1801
New York, NY 10018
Tel: 646-744-1000

Miami Office:
Tel: 786-899-2980
San Juan Office: Tel: 646-460-6229

: contactus@mdsny.com